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5 

Method and Apparatus for Encryption and Decryption 
in Remote Data Storage Systems 

BACKGROUND OF THE INVENTION 

1 0 This invention relates to information storage and retrieval, and in 

particular to encryption of data in storage systems having local and remote locations. In 
such systems, data are stored in a local storage system, for example, an array of hard disk 
drives, and data are also stored in a remote storage system. The use of a remote location 
for a copy of the data is desirable because it prevents loss of the data from corruption of 

15 communications links, natural disasters, or other causes. The remote copy function 
creates and maintains mirror volumes (duplicate sets) of the local data, but with the 
volumes of the sets separated by a "long" distance. The two disk systems are directly 
connected by remote links, through which updates to the data stored on the local disk 
system are copied to the remote disk system. 

20 The remote system typically is coupled to the local system using 

communication links or a network, for example, ESCON, FC, TI, T3, ATM, etc. or a 
combination thereof, while suitable protocols are ESCON, SCSI, IP or others. In such a 
computing environment, data is exposed to the danger of corruption, theft and alteration 
because the network, or parts of the network, are publicly accessible, especially when 

25 using the Internet Protocol (IP). 

Some companies, often referred to as storage service providers (SSP), 
provide a service to assist in managing customers' data. These companies sometimes rent 
their storage infrastructure and provide services such as storage management, remote 
copy, etc. to their customers. In such situations, the customers' data is stored in the SSP's 

30 storage system, and may be exposed to access by others. 

U.S. Patents 5,459,857 and 5,544,347 describe remote copy technology 
which uses a remote link to connect two disk systems, enabling maintaining a duplicate 
copy, termed "a mirror," of the local system data on the remote disk system. The local 
disk system copies data on a local disk when duplication, termed "pair creation," is 

35 indicated. When a host updates data on the local disk, the local disk system transfers the 



data to the remote disk system through the remote link. Thus no host operation is 
required to maintain a mirror of two volumes. 

U.S. Patent 5,933,653 discloses a method for transferring data between a 
local disk system and a remote disk system. In a synchronous mode, the local disk 
5 system transfers data to the remote disk system before completing a write request from a 
host. In a semi-synchronous mode, the local disk system completes a write request and 
then transfers the write data to the remote disk system. Succeeding write requests are not 
processed until the previous data transfer is completed. With adaptive copy mode, data to 
be sent to the remote disk system is stored in a memory and transferred to the remote disk 
1 0 system when the local disk system and/or remote links are available for the copy task. 

SUMMARY OF THE INVENTION 
This invention provides a technique for assuring the privacy of a 
customer's data stored in a storage system. Encryption technology is employed in which 

15 a key for encryption and decryption is assigned to a volume or a set of volumes. Both the 
local and the remote disk system use the same key for a pair of volumes or a group of 
volumes. The keys are changeable without interrupting the host input/output operations 
to and from the local disk system. In addition, the keys can be periodically changed to 
improve security. The local disk system, which stores the initially created data, encrypts 

20 the data to be sent to the remote disk system and sends it to the remote disk system, where 
it is stored in encrypted form. To provide for selection of encryption and decryption, the 
local disk system and the remote disk system have a switching mechanism for 
implementing encryption and decryption. The disk systems can communicate with each 
other and change the encryption without losing the consistency of the remote copy. 

25 In one embodiment of the invention, a method of controlling security of 

data in a storage system having a local disk system and a remote disk system includes 
performing certain steps in the local disk system and in the remote disk system. The steps 
performed in the local system include: when a write of data is to be made to the local disk 
system retrieving a previously stored encryption key, encrypting the data, and transferring 

30 the data to the remote disk system. The steps performed in the remote system include: 
retrieving the previously stored encryption key, determining an address for storage of the 
data, decrypting the data, writing the decrypted data in the remote disk system; and 
notifying the local disk system that the step of writing the decrypted data is complete. 
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BRIEF DESCRIPTION OF THE DRAWINGS 
Figure 1 is a block diagram illustrating the overall configuration of a 
system according to a preferred embodiment of this invention; 
5 Figure 2 is an exemplary encryption control table; 

Figure 3 is a flowchart illustrating the encryption and decryption process; 
Figure 4 is a flow chart illustrating a first method of transparent key 

exchange; 

Figure 4b illustrates the concept behind transparent key exchange; 
1 0 Figure 5 is a flow chart illustrating a second method of transparent key 

exchange; 

Figure 6 is a flow chart illustrating a first method of controlling 

encryption; 

Figure 7 is a flow chart illustrating a second method of controlling 
15 encryption; and 

Figure 8 is a flow chart illustrating a third method of transparent key 

exchange. 

DESCRIPTION OF THE SPECIFIC EMBODIMENTS 
20 In a system according to an embodiment of this invention, encryption is 

enabled for a storage system having both local and remote disk systems. The assignment 
of encryption keys to volumes is first discussed with respect to Figure 1. Two disk 
systems, referred to as the local disk system 100 and the remote disk system 110, each 
include one or more hard disk drives 102, 112, optical storage disks, flash memories, or 
25 other storage media. While the following description refers to disks, it should be 

understood that any type of data storage media can be employed. Each disk system also 
has processors (not shown) on which appropriate software programs run, additional 
memories for storing control data and tables for the software, etc. One or more host 
computers 115 connect to at least the local disk system 100, by the connection of SCSI 
30 122, Fibre, ESCON, etc. The host computer 115 accesses the disks in the local disk 
system through the connection 122. One or more host computers 118 also may be 
connected to the remote disk system 110. 
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Management consoles 125, 130 provide connections to the local, and 
optionally to the remote disk system, using LAN 133, proprietary connection 135, SCSI, 
Fibre or ESCON, or other well known technique. An administrator manages the disk 
systems through this management consoles 125, 130. If desired, the management console 
5 125 for the local disk system also may connect to the remote disk system. The 

connection between the local and remote disk systems may comprise ESCON, SCSI, 
LAN/WAN or Fibre 140, or combination of them, for example, using a gateway 
appliance. As shown in Figure 1, a key is assigned to a volume or a group of volumes. 
The same key is assigned to a local volume (or a group of local volumes) and to a remote 

10 volume (or a group of remote volumes). One can arbitrarily define groups of volumes. 
For example, one may define a group of volumes deploying an entire database. 

The local 100 and remote 110 disk systems maintain an encryption control 
table 200 as depicted in Figure 2. Each entry in the table is indexed by a volume number 
240, thus allowing a separate key to be assigned to each volume. If a key is assigned to a 

15 group, entries indexed by volume number of the group will have the same value for the 
key 210. The value of key 210 for a volume is the same in both the local disk system and 
remote disk system. The column designated key 210 shows the key assigned to the 
volume listed in the column labeled volume 240, while the encryption 220 and decryption 
230 columns indicate the status of encryption, as follows. A "Yes" in column 220 

20 indicates the local system encrypts the data before sending it to the remote disk system. 
A "No" in column 220 indicates the local system sends ordinary (non-encrypted data) to 
the remote disk system. With respect to column 230, a "Yes" in column 230 indicates 
that the remote system must decrypt the data before using it, while a "No" in column 230 
indicates that the remote copy data has been stored in decrypted form and therefore can 

25 be used without decryption. 

Figure 3 is a flowchart of the encryption and decryption process. Three 
situations will invoke the remote copy process depicted in Figure 3. First, when 
establishing a pair (referred to herein as initial copy), the local disk system 100 copies all 
data on the local disk to the remote disk 1 10. An administrative controller usually 

30 provides the local and remote disk addresses, and both local and remote disk systems 

store this information. Second, when a host updates data to be stored in a local disk 100, 
the local disk system transfers the new (changed) data to the local disk, then the local disk 
system transfers the changed data to the remote disk system. The host provides the 



location of the data in the form of the local disk address. Third, when the local disk 
system schedules copying data to the remote disk, the local disk system transfers the data 
to copy, together with the location of the data and the disk address. 

The desired remote disk address can be retrieved from the local disk 
5 system. As described previously, the local disk system has stored the relationship 

between the local disk or volume and the remote disk or volume when the administrator 
established a pair. This enables the remote disk address to be located. By referring to the 
appropriate entry in the encryption control table corresponding to the address, the remote 
disk system locates the key for the disk. The local disk system knows its local disk 

1 0 address. By referring the entry corresponding to the address in the encryption control 
table 200, it finds the correct key for the disk. Steps 310-330 illustrate locating the right 
key at the remote disk system. A write request from the local disk system to the remote 
disk system includes the remote disk address. Once the address is located, the data is sent 
to the remote disk, decrypted, and stored, all as shown by steps 330-340. When the write 

15 at the remote disk is complete, a message 350 is sent to the local disk system, informing it 
of the completion. 

There are two methods enabling keys to be changed without interrupting 
host operations. Because the remote system will be operating at least slightly later than 
the local system, there will be time differences in the writing of data at the two locations. 

20 This makes it undesirable to just change the key at a designated time. If this were to 
occur, the key exchange might be performed in the middle of an operation. 

Changing enabling keys without interrupting host operations is referred to 
herein as "transparent key exchange." In the first implementation, illustrated by Figure 4, 
the local disk system counts the number of I/O requests from the local disk system to the 

25 remote disk system for each volume pair. (See step 430.) When an administrator 

introduces a new key and initiates key exchange through the management console, the 
local and remote disk systems perform the operations shown in the flowchart in Figure 4. 
In particular, a boundary number is determined which corresponds to the I/O number after 
which the key is to change. Upon detection of this number of I/O operations in the local 

30 disk system, the key is changed. Similarly, upon detection of this number of I/O 
operations in the remote disk system, the key is also changed. 

Figure 4b illustrates this process conceptually. The upper time line 
illustrates operations in the local system, while the lower time line illustrates 
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corresponding operations in the remote system, and that those operations lag the 
operations in the local system. Note that the key is changed after operation 4 in each of 
the local and the remote system, and that this change in key occurs at a different time in 
each system. As illustrated in Figure 4, the request and/or data, sent from local to remote 
5 at steps 41 0 and 440, are encrypted and decrypted by the current key, not the new key. 

The copy process is running during the operations in Figure 4. Therefore 
I/O requests from local to remote are being processed in parallel with the key change 
operation. The local disk system must choose an appropriate I/O number at step 440. It 
then prevents performing the I/O with that number until step 440 completes. 

10 A second method of implementing key exchange, illustrated in Figure 5, is 

by using a pair control mechanism such as splitting and re-synchronizing mirrored pairs. 
When splitting a mirror, the local disk system stops copying data to the remote disk 
system. The local disk system maintains a list of updates from hosts to the local volume, 
usually by using a pending bit map. When re-synchronizing the mirror, the local disk 

1 5 system begins copying pending data to the remote volume by referring to the bit map. 

In the embodiment in which key exchange is performed using the process 
of splitting and re-synchronizing a mirrored pair, an administrator provides the new key 
and instructs key exchange through the management console. Then the local and remote 
disk systems perform the operations in Figure 5. At step 530 the local disk system 

20 changes its pair status, stops copying data to the remote disk system and begins marking 
the bit map. The pair status for both local and remote volumes changes to "Suspend," 
which means data between local and remote disks is not equivalent. In some 
implementation, this process may cause the local disk system to communicate with the 
remote disk system (step 540). At step 550, to validate the new key, the local and the 

25 remote disk system store the new key in the encryption table 210. Then at step 570, after 
re-synchronizing the pair, the local disk system changes its pair status and restarts 
copying in accordance with the bitmap. When the host updates data, the data is also 
copied to the remote system. The pair status switches to "Copy Pending," which means 
copy in progress, and then to "Pair," meaning that the data between local and remote 

30 disks is equivalent. In some implementations, this process may cause the local disk 

system to communicate with the remote disk system (step 580). The remote disk system 
also changes the pair status to "Copy Pending" and then "Pair." 
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The use of encryption or decryption is controllable. Encrypting data may 
cause performance degradation, and some data does not need encryption. The choice of 
whether to encrypt or not is a tradeoff between importance of data and performance, and 
is left to the users' decision. This invention enables the user to choose whether to use 
5 encryption and/or decryption. There are two methods enabling turning encryption and 
decryption on and off. These techniques are depicted in Figure 6 and 7. They use the 
encryption table of Figure 2. 

If a user selects "encryption=YES and decryption=NO" (meaning that the 
remote data is stored encrypted) the methods for changing a key described in Figure 4 and 

10 5 need to be modified. Before changing the key, the data stored in the remote disk was 
encrypted by a first key. When the key is changed, the data is encrypted by a second key 
and stored in the remote disk. This implies data encrypted by two or more different keys 
are present on the remote disk. Although feasible, it is generally undesirable to maintain 
different keys for each encrypted portion of the remote disk. To solve this problem, the 

1 5 remote disk system re-encrypts all data on the remote disk with the new key. A 

predetermined amount of data, e.g. a track, is read from the disk to the cache memory of 
the remote disk system, decrypted by the current key, encrypted by the new key, and then 
stored back to the same location on the remote disk. The remote disk system keeps track 
of this process with a bit map. If the local disk system copies data to a location that has 

20 not finished re-encryption, the remote disk system performs the above operation before 
responding to the local disk system. 

Figure 8 illustrates the above process in detail. As shown, after initializing 
the bitmap at step 800, a copy request (a write I/O request) 810 indicates the location of 
records or blocks to be updated. For example, with the CKD protocol, the location is a 

25 track address and a record number of the heading record, together with the number of 
records, while with the SCSI protocol, a block address of the heading block and number 
of blocks are provided. At step 890, the remote disk system does step 840 to 860 for the 
track(s) that contain the records or the blocks. At step 870 the re-encrypted data is 
written to the disk. 

30 The apparatus and methods described in this invention encrypt and decrypt 

data being transferred between two disk systems. A key for encryption and decryption is 
assigned to a volume. This protects remote copy data from being misappropriated and/or 
altered. An administrator can manage encryption because the remote copy is done for a 
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pair or a group of pairs of volumes. This invention also provides a method to change 
keys transparently. In addition, the invention provides a method that enables an 
administrator to choose when to use encryption and/or decryption, even on a volume by 
volume-pair basis. 

5 The preceding has been a description of the preferred embodiment of the 

invention. It will be appreciated that deviations and modifications can be made without 
departing from the scope of the invention, which is defined by the appended claims. 
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What is claimed is: 



1 1 . A method of controlling security of data in a storage system having 

2 a local disk system and a remote disk system comprising: 

3 in the local disk system: 

4 when a write of data is to be made to the local disk system 

5 retrieving a previously stored encryption key; 

6 encrypting the data; 

7 transferring the data to the remote disk system; then 

8 in the remote disk system: 

9 determining whether the data is to be stored in an encrypted form; 

10 determining an address for storage of the data; 

11 if the data is to be stored in a decrypted form, decrypting the data; 

12 writing the data in the remote disk system; and 

13 notifying the local disk system that the step of writing the data is 

14 complete. 

1 2. A method as in claim 1 further comprising a step of maintaining an 

2 encryption control table on the local disk system, the encryption control table including a 

3 list of encryption keys for selected volumes of the local and the remote disk system. 

1 3. A method as in claim 2 wherein the list of encryption keys further 

2 includes information relating to the use and non-use of encryption on the local disk 

3 system. 

1 4. A method as in claim 2 wherein the list of encryption keys further 

2 includes information relating to the use and non-use of encryption on the remote disk 

3 system. 

1 5. A method as in claim 3 wherein the encryption key is applicable to 

2 less than all of the storage on the local disk system. 

1 6. A method as in claim 4 wherein the encryption key is applicable to 

2 less than all of the storage on the remote disk system. 
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1 7. A method as in claim 3 wherein the encryption key is applicable to 

2 at least one disk on the local disk system. 

1 8. A method as in claim 7 wherein the encryption key is applicable to 

2 at least one disk on the remote disk system. 

1 9. A method for changing an encryption key while operating a storage 

2 system having a local disk system and a remote disk system comprising: 

3 storing an encryption key in a memory in the local disk system; 

4 transmitting the encryption key to the remote disk system and 

5 storing it in a memory there; 

6 in the local disk system determining a boundary for use of the 

7 encryption key; 

8 in both the local and the remote disk system, determining a 

9 relationship of present operations to the boundary; 

10 in both the local and the remote disk system waiting for the 

1 1 boundary, and then changing the encryption key for data stored thereafter. 

1 1 0. A method as in claim 9 wherein operations before the boundary are 

2 performed using a first encryption key and operations after the boundary are performed 

3 using a second encryption key. 

1 1 1 . A method as in claim 9 wherein the boundary is defined by 

2 counting input/output operations and using the count to define the boundary. 

1 1 2. A method for changing an encryption key while operating a storage 

2 system having a local disk system and a remote disk system comprising: 

3 storing an encryption key in a memory in the local disk system; 

4 transmitting the encryption key to the remote disk system and 

5 storing it in a memory there; 

6 splitting the local disk system from the remote disk system to allow 

7 them to operate independently; 

8 using a new encryption key to begin storing data in the local disk 

9 system; and 

1 0 resynchronize the local disk system and the remote disk system. 
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1 1 3 . A method of controlling encryption in a storage system having a 

2 local disk system and a remote disk system comprising: 

3 maintaining a control table in each of the local disk system and the 

4 remote disk system; 

5 determining a boundary in the local disk system where encryption 

6 is to be switched to an opposite state; 

7 determining a corresponding boundary in the remote disk system; 

8 in both the local and the remote disk system, determining a 

9 relationship of present operations to the boundary; 

10 in both the local and the remote disk system waiting for the 

1 1 boundary, and then changing the switching the encryption to the opposite state. 

1 14. A method as in claim 1 3 wherein operations before the boundary 

2 are either encrypted or not encrypted, and operations performed after the boundary are 

3 either not encrypted or encrypted oppositely to those operations performed before the 

4 boundary. 

1 1 5. A method as in claim 14 wherein the boundary is defined by 

2 counting input/output operations and using the count to define the boundary. 

1 1 6. A method of controlling encryption in a storage system having a 

2 local disk system and a remote disk system comprising: 

3 storing an encryption key in a memory in the local disk system; 

4 transmitting the encryption key to the remote disk system and 

5 storing it in a memory there; 

6 splitting the local disk system from the remote disk system to allow 

7 them to operate independently; 

8 switching encryption to an opposite state from a previous state; and 

9 re-synchronizing the local disk system and the remote disk system. 

1 17. A storage system comprising: 

2 a local system including a plurality of volumes of media for storing data; 

3 a first computer program operating on the local system to determine 

4 whether encryption is to be employed in storage of data on the local system, and if so, 
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5 retrieving an encryption key from storage and using the key to encrypt the data to be 

6 stored; 

7 a communications link coupling the local system to the remote system; and 

8 a second computer program operating on the remote system to store the 

9 data in either encrypted form or unencrypted form based and storing the data in that form 
1 0 in the remote system, and notifying the local disk system that the data has been stored. 



1 1 8. A system as in claim 17 further comprising an encryption control 

2 table stored on the local disk system, the encryption control table including a list of 



3 encryption keys for selected volumes of the local system and the remote system. 

1 1 9. A system as in claim 1 8 wherein the list of encryption keys further 

2 includes information relating to the use and non-use of encryption on the local system. 

1 20. A system as in claim 19 wherein the list of encryption keys further 

2 includes information relating to the use and non-use of encryption on the remote system. 

1 2 1 . A system as in claim 20 wherein the encryption key is applicable to 

2 less than all of the storage on the local system. 

1 22. A system as in claim 21 wherein the encryption key is applicable to 

2 less than all of the storage on the remote system. 

1 23. A storage system having a local system and a remote system, and 

2 having changeable encryption keys, comprising: 

3 a local memory which stores an encryption key in the local system; 

4 a communications link connecting the local system to the remote system 

5 for transmitting the encryption key to the remote disk system; 

6 a remote memory which stores the encryption key in the remote system; 

7 a first computer program in the local system which determines a boundary 

8 for use of the encryption key; and 

9 in both the local and the remote disk system, a second computer program 

1 0 for determining a relationship of present operations to the boundary, and changing the 

1 1 encryption key for operations occurring after the boundary. 
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1 24. A system as in claim 23 wherein the second computer program 

2 counts input/output operations to define the boundary. 

1 25. A storage system having a local system and a remote system, and 

2 having changeable encryption keys, comprising: 

3 a local memory which stores an encryption key in the local system; 

4 a communications link connecting the local system to the remote system 

5 for transmitting the encryption key to the remote disk system; 

6 a remote memory which stores the encryption key in the remote system; 

7 a first computer program in the local system which determines a boundary 

8 for use of the encryption key and splitting of the local system from the remote system; 

9 in both the local and the remote disk system, a second computer program 

10 for determining a relationship of present operations to the boundary, and splitting the 

1 1 local system from the remote system at the boundary; 

12 a third computer program for re-synchronizing the local system and the 

13 remote system. 

1 26. A system for controlling encryption in a storage system having a 

2 local system and a remote system comprising: 

3 a local memory storing an encryption key in the local system; 

4 a communications link for transmitting the encryption key to the remote 

5 disk system and storing it in a remote memory there; 

6 a first computer program for splitting the local system from the remote 

7 system to allow them to operate independently; 

8 a switch for changing encryption to an opposite state from a previous state; 

9 and 

10 a second computer program for re-synchronizing the local system and the 

1 1 remote system. 

1 27. A method of controlling security of data in a storage system having 

2 a local disk system and a remote disk system comprising: 

3 in the local disk system: 

4 assigning a key to a first portion of the local disk system; 
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5 encrypting the data stored in the first portion of the local disk 

6 system; 

7 transferring the encrypted data to the remote disk system; then 

8 in the remote disk system: 

9 decrypting the data using the assigned key; and 

10 writing the decrypted data into a second portion of the remote disk 

1 1 system. 

1 28. A method as in claim 27 wherein the first portion comprises at least 

2 a volume of the local storage system and the second portion comprises at least a volume 

3 of the remote disk system. 

1 29. A method as in claim 28 wherein the first portion comprises a 

2 group of volumes of the local storage system, and the second portion comprises a group 

3 of volumes of the remote storage system. 

1 30. A storage system comprising: 

2 a local system including a plurality of volumes of media for storing data; 

3 a remote system including a plurality of volumes of media also for storing 

4 data; 

5 a first computer program operating on the local system to retrieve selected 

6 data from storage on the local system, and encrypt that selected data using an encryption 

7 key; 

8 a communications link coupling the local system to the remote system for 

9 transmitting the encrypted selected data to the remote system; and 

10 a second computer program operating on the remote system to decrypt the 

1 1 selected data received from the communications link and store that selected data in 

12 unencrypted form in the remote system. 

1 3 1 . A system as in claim 30 further comprising an encryption control 

2 table stored on the local disk system, the encryption control table including a list of 

3 encryption keys for selected volumes of the local system and the remote system. 
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Method and Apparatus for Encryption and Decryption 
in Remote Data Storage Systems 

5 ABSTRACT OF THE DISCLOSURE 

In a storage system having local and remote disk systems, a system is 
described for selectively controlling the security of data on a volume by volume basis, for 
transparently exchanging encryption keys between the local and remote disk systems, and 
for controlling when encryption is used in the storage of data. 
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Figure 1. System Configuration 
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Figure 2. Encryption Control Table 200 
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Figure 5. Transparent Key Exchange 



Local Disk System 



610 



Store "encryption = NO and 
decryption = NO" to a memory and 
send it to the remote disk system 



630 



Get the current I/O number of the 
volume pair 



640 



Choose the appropriate I/O number 
(the boundary number) to switch 
encryption and decryption off and 
send it to remote disk system 



^660 



Wait for the I/Os with the boundary 
number; I/Os w/ the boundary number 
or smaller are encrypted with the 
current key 



670 



Store "NO" to Encryption220 and 
Decryption230; I/Os w/ the number 
greater than the boundary number are 
not encrypted 



Remote Disk System 



^620 



Store "encryption=NO and 
decryption=NO" to a memory 



650 



Wait for the I/Os with the boundary 
number; I/Os w/ the boundary number 
or smaller are decrypted with the 
current key 



680 



Store "NO" to Encryption220 and 
Decryption230; I/Os w/ the number 
greater than the boundary number are 
not decrypted 



Figure 6. Switching Encryption and Decryption off 



Local Disk System 



710 



Store "encryption=NO and 
decryption-NO" to a memory and 
send it to the remote disk system 



730 



Split the pair (Stop copying data to 
remote the disk system) 



750 



Store "NO" to Encryption220 and 
Decryption230 



^770 



Re-synchronize the pair (start copying 
data to the remote disk system) 



(^end^) 



Remote Disk System 



^720 



Store "encryption=NO and 
decryption=NO" to a memory 



^740 



Split the pair 



760 



Store "NO" to Encryption220 and 
Decryption230 



780 



Re-synchronize the pair 



Figure 7. Switching 



Encryption and Decryption off 



± ^800 

Set all bits of the re-encryption bitmap 
to 1 (one) 



810 



Copy request exists from the 

local disk system? ^ 



YES 



NO 



^890 



Do step 840 to 860 for the track of the 
request and then execute copy request 



_ ^820 
All bits of the re-encryption \, YES 



bitmap are 0 (zero)? 



> 



NO 



-830 



Find the next track whose bit is 1 


(one) 






f ^840 


Read a track from the disk to the 


cache 






f ^-850 


Decrypt the track by the current key 




r ^860 


Encrypt the track by the new key 




r ^870 


Write the track from the cache to the 


disk 






r ^880 


Set 0 (zero) to the bit of the re- 


encryption bitmap 





C^^nd^) 



Figure 8. Transparent Key Exchange 



Attorney Docket No. 1 6869C-008600 
Client Ref. No. HAL-ID 137 



DECLARATION AND POWER OF ATTORNEY 



As a below named inventor, I declare that: 

My residence, post office address and citizenship are as stated below next to my name; I believe I am the original, first and sole 
inventor (if only one name is listed below) or an original, first and joint inventor (if plural inventors are named below) of the 
subject matter which is claimed and for which a patent is sought on the invention entitled: "Method and Apparatus for 
Encryption and Decryption in Remote Data Storage Systems," the specification of which is enclosed herewith. 

I have reviewed and understand the contents of the above identified specification, including the claims, as amended by any 
amendment referred to above. I acknowledge the duty to disclose information which is material to the patentability of this 
application in accordance with Title 37, Code of Federal Regulations, Section 1.56. I claim foreign priority benefits under Title 
35, United States Code, Section 119 of any foreign applications) for patent or inventor's certificate listed below and have also 
identified below any foreign application for patent or inventor's certificate having a filing date before that of the application on 
which priority is claimed. 

Prior Foreign Application(s) 



Country 


Application No. 


Date of Filing 


Priority Claimed Under 
35 USC 119 











I hereby claim the benefit under Title 35, United States Code § 1 19(e) of any United States provisional applications) listed below: 



Application No. 


Filing Date 







I claim the benefit under Title 35, United States Code, Section 120 of any United States applications) listed below and, insofar as 
the subject matter of each of the claims of this application is not disclosed in the prior United States application in the manner 
provided by the first paragraph of Title 35, United States Code, Section 112, I acknowledge the duty to disclose material 
information as defined in Title 37, Code of Federal Regulations, Section 1.56 which occurred between the filing date of the prior 
application and the national or PCT international filing date of this application: 



Application No. 


Date of Filing 


Status 









POWER OF ATTORNEY: As a named inventor, I hereby appoint the following attorney(s) and/or agent(s) to prosecute this 
application and transact all business in the Patent and Trademark Office connected therewith. 

Robert C. Colwell, Reg. No. 27,431 
William L. Shaffer, Reg. No. 37,234 
Paul A. Durdik, Reg. No. 37,819 
Kim Kanzaki, Reg. No. 37,652 
George B.F. Yee, Reg. No. 37,478 



Send Correspondence to: 


Direct Telephone Calls to: 


Robert C. Colwell 


(Name, Reg. No., 


Telephone No.) 


TOWNSEND and TOWN SEND and CREW LLP 


Name: 


Robert C. Colwell 


Two Embarcadero Center, 8 th Floor 


Reg. No.: 


27,431 


San Francisco, California 94111-3834 


Telephone: 


650-326-2400 



Page 1 of 2 



DECLARATION AND POWER OF ATTORNEY - Continued 



Attorney Docket No. 16869C-008600 
Client Ref. No. HAL-ID 137 



I further declare that all statements made herein of my own knowledge are true and that all statements made on information and 
belief are believed to be true; and further that these statements were made with the knowledge that willful false statements and the 
like so made are punishable by fine or imprisonment, or both, under Section 1001 of Title 18 of the United States Code, and that 
such willful false statements may jeopardize the validity of the application or any patent issuing thereon. 



Inventor No. I: 



Kenji Yamagami 

108 Calle Hivel 

Los Gatos, California 95032 

Citizenship: Japan 



Inventor No, 2: 



AMra Yamamoto 
1202 Ruppell Place 
Cupertino, California 95012 
Citizenship: Japan 



Inventor No. 3: 



Naoko Iwami 

19500 Pruneridge Avenue, #621 1 
Cupertino, California 95014 
Citizenship: Japan 



Inventor No. 4: 



Masayuki Yamamoto 

965 East El Camino Real, #721 
Sunnyvale, California 94087 
Citizenship: Japan 



/ Kenj^yamagami 



Aliira Yamamoto 



Date: 



£ / / 



c/O 




JSaoko Iwami 



Date 



Oo 



Date: 



MasayukTYamamoto 



PA 3077605 v1 



Page 2 of 2 



